aleposis2016
Forum Replies Created
-
James, one of the main points in securing software is not providing unecessary information to the outside world. I can’t really understand why the community has chosen this posture of “nobody should be accessing that file in the first place”. That is just wrong, period.
In the end I prefered to modify WP core files as I stated in my solution above. These files are wrong when they access variables without prior checking and handling, because they are open to the outside. If they were files in the /wp-includes/, which is unaccessible for the outside world, they could be just fine.
It is sad to see such misconceptions in a robust project such as WP; one that boosts itself for hosting 25% of the web. But on the other hand, that also helps to understand why the web is such a paradise for hackers and spammers: it is a knick-knack of negligent code being released in production.
Thank you Jan. I thought that WP core files were “leakage-proof” in the sense that in an ordinary install, the ordinary user wouldn’t have to reconfigure php in order to set it as a production build.
What I also thought is that a
if ( ! defined('ABSPATH')) die('');in the beginning of the file wouldn’t do any harm to the WP core yet protecting the website “for free”.
What is your opinion on this solution, if I may ask. Perhaps this is something already addressed by the dev community and I am just not really aware of it’s rationale.
Thanks